From 7a1bfcaaf91f3b80b92aaf12621aad650c0beddf Mon Sep 17 00:00:00 2001
From: Dominik Maier <domenukk@gmail.com>
Date: Tue, 22 Dec 2020 01:59:47 +0100
Subject: [PATCH] fixed libfuzzer, some integer wraps

---
 afl/src/mutators/mutations.rs      | 26 ++++++++++++++------------
 fuzzers/libfuzzer_stats/Cargo.toml |  1 +
 fuzzers/libfuzzer_stats/build.rs   | 16 +++++++++-------
 3 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/afl/src/mutators/mutations.rs b/afl/src/mutators/mutations.rs
index 05448a7029..62ce704fd9 100644
--- a/afl/src/mutators/mutations.rs
+++ b/afl/src/mutators/mutations.rs
@@ -166,7 +166,8 @@ where
         let idx = rand.below(input.bytes().len() as u64) as usize;
         unsafe {
             // moar speed, no bound check
-            *input.bytes_mut().get_unchecked_mut(idx) += 1;
+            let ptr = input.bytes_mut().get_unchecked_mut(idx);
+            *ptr = (*ptr).wrapping_add(1);
         }
         Ok(MutationResult::Mutated)
     }
@@ -190,7 +191,8 @@ where
         let idx = rand.below(input.bytes().len() as u64) as usize;
         unsafe {
             // moar speed, no bound check
-            *input.bytes_mut().get_unchecked_mut(idx) -= 1;
+            let ptr = input.bytes_mut().get_unchecked_mut(idx);
+            *ptr = (*ptr).wrapping_sub(1);
         }
         Ok(MutationResult::Mutated)
     }
@@ -265,8 +267,8 @@ where
             let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut u8;
             let num = 1 + rand.below(ARITH_MAX) as u8;
             match rand.below(2) {
-                0 => *ptr += num,
-                _ => *ptr -= num,
+                0 => *ptr = (*ptr).wrapping_add(num),
+                _ => *ptr = (*ptr).wrapping_sub(num),
             };
         }
         Ok(MutationResult::Mutated)
@@ -294,10 +296,10 @@ where
             let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16;
             let num = 1 + rand.below(ARITH_MAX) as u16;
             match rand.below(4) {
-                0 => *ptr += num,
-                1 => *ptr -= num,
-                2 => *ptr = ((*ptr).swap_bytes() + num).swap_bytes(),
-                _ => *ptr = ((*ptr).swap_bytes() - num).swap_bytes(),
+                0 => *ptr = (*ptr).wrapping_add(num),
+                1 => *ptr = (*ptr).wrapping_sub(num),
+                2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(),
+                _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(),
             };
         }
         Ok(MutationResult::Mutated)
@@ -325,10 +327,10 @@ where
             let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32;
             let num = 1 + rand.below(ARITH_MAX) as u32;
             match rand.below(4) {
-                0 => *ptr += num,
-                1 => *ptr -= num,
-                2 => *ptr = ((*ptr).swap_bytes() + num).swap_bytes(),
-                _ => *ptr = ((*ptr).swap_bytes() - num).swap_bytes(),
+                0 => *ptr = (*ptr).wrapping_add(num),
+                1 => *ptr = (*ptr).wrapping_sub(num),
+                2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(),
+                _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(),
             };
         }
         Ok(MutationResult::Mutated)
diff --git a/fuzzers/libfuzzer_stats/Cargo.toml b/fuzzers/libfuzzer_stats/Cargo.toml
index 4f52bad5b7..80b836a0cc 100644
--- a/fuzzers/libfuzzer_stats/Cargo.toml
+++ b/fuzzers/libfuzzer_stats/Cargo.toml
@@ -19,6 +19,7 @@ debug = true
 
 [build-dependencies]
 cc = "1.0"
+num_cpus = "1.0"
 
 [dependencies]
 clap = "2.32.0"
diff --git a/fuzzers/libfuzzer_stats/build.rs b/fuzzers/libfuzzer_stats/build.rs
index 39b52042ab..75d76e4181 100644
--- a/fuzzers/libfuzzer_stats/build.rs
+++ b/fuzzers/libfuzzer_stats/build.rs
@@ -19,7 +19,6 @@ fn main() {
         .file("./harness.c")
         .compile("libfuzzer-sys");
 
-
     let libpng = format!("{}/libpng-1.6.37", &out_dir);
     let libpng_path = Path::new(&libpng);
     let libpng_tar = format!("{}/libpng-1.6.37.tar.gz", &out_dir);
@@ -49,11 +48,14 @@ fn main() {
             .unwrap();
         Command::new("make")
             .current_dir(&libpng_path)
-            .env("CC", "clang")
-            .env("CXX", "clang++")
-            .env("CFLAGS", "-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard")
-            .env("LDFLAGS", "-fPIE -fsanitize-coverage=trace-pc-guard")
-            .env("CXXFLAGS", "-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard")
+            .arg(&format!("-j{}", num_cpus::get()))
+            .args(&[
+                "CC=clang",
+                "CXX=clang++",
+                "CFLAGS=-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard",
+                "LDFLAGS=-fPIE -fsanitize-coverage=trace-pc-guard",
+                "CXXFLAGS=-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard",
+            ])
             .status()
             .unwrap();
     }
@@ -62,7 +64,7 @@ fn main() {
     println!("cargo:rustc-link-search=native={}/.libs", &libpng);
     println!("cargo:rustc-link-lib=static=png16");
 
-    //Deps for libpng: -pthread -lz -lm 
+    //Deps for libpng: -pthread -lz -lm
     println!("cargo:rustc-link-lib=dylib=m");
     println!("cargo:rustc-link-lib=dylib=z");